Adds feature to disable IMDSv1 by default for new Elastic BeanStalk e…

…nvironments. Also adds support for new command line parameter --disable-imds-v1 useful for updating existing environments.
aws · Jun 20, 2024 · 821a787 · 821a787
1 parent f6a7330
commit 821a787
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 6 deletions.
diff --git a/src/Amazon.ElasticBeanstalk.Tools/Amazon.ElasticBeanstalk.Tools.csproj b/src/Amazon.ElasticBeanstalk.Tools/Amazon.ElasticBeanstalk.Tools.csproj
@@ -10,7 +10,7 @@
     <PackAsTool>true</PackAsTool>
     <ToolCommandName>dotnet-eb</ToolCommandName>
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
-    <Version>4.3.4</Version>
+    <Version>4.4.0</Version>
     <AssemblyName>dotnet-eb</AssemblyName>
     <Authors>Amazon Web Services</Authors>
     <Copyright>Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.</Copyright>

diff --git a/src/Amazon.ElasticBeanstalk.Tools/Commands/CommandProperties.cs b/src/Amazon.ElasticBeanstalk.Tools/Commands/CommandProperties.cs
@@ -19,6 +19,7 @@ public class DeployEnvironmentProperties
         public string IISWebSite { get; set; }
         public bool? WaitForUpdate { get; set; }
         public bool? EnableXRay { get; set; }
+        public bool? DisableIMDSv1 { get; set; }
         public Dictionary<string,string> Tags { get; set; }
         public Dictionary<string, string> AdditionalOptions { get; set; }
 
@@ -92,6 +93,8 @@ internal void ParseCommandArguments(CommandOptions values)
                 this.LoadBalancerType = tuple.Item2.StringValue;
             if ((tuple = values.FindCommandOption(EBDefinedCommandOptions.ARGUMENT_ENABLE_STICKY_SESSIONS.Switch)) != null)
                 this.EnableStickySessions = tuple.Item2.BoolValue;
+            if ((tuple = values.FindCommandOption(EBDefinedCommandOptions.ARGUMENT_DISABLE_IMDS_V1.Switch)) != null)
+                this.DisableIMDSv1 = tuple.Item2.BoolValue;
 
             if ((tuple = values.FindCommandOption(EBDefinedCommandOptions.ARGUMENT_PROXY_SERVER.Switch)) != null)
                 this.ProxyServer = tuple.Item2.StringValue;

diff --git a/src/Amazon.ElasticBeanstalk.Tools/Commands/DeployEnvironmentCommand.cs b/src/Amazon.ElasticBeanstalk.Tools/Commands/DeployEnvironmentCommand.cs
@@ -40,6 +40,7 @@ public class DeployEnvironmentCommand : EBBaseCommand
             EBDefinedCommandOptions.ARGUMENT_INSTANCE_TYPE,
             EBDefinedCommandOptions.ARGUMENT_HEALTH_CHECK_URL,
             EBDefinedCommandOptions.ARGUMENT_ENABLE_XRAY,
+            EBDefinedCommandOptions.ARGUMENT_DISABLE_IMDS_V1,
             EBDefinedCommandOptions.ARGUMENT_ENHANCED_HEALTH_TYPE,
             EBDefinedCommandOptions.ARGUMENT_INSTANCE_PROFILE,
             EBDefinedCommandOptions.ARGUMENT_SERVICE_ROLE,
@@ -59,6 +60,9 @@ public class DeployEnvironmentCommand : EBBaseCommand
         const string OPTIONS_NAME_PROXY_SERVER = "ProxyServer";
         const string OPTIONS_NAME_APPLICATION_PORT = "PORT";
 
+        const string OPTIONS_NAMESPACE_DISABLE_IMDS_V1 = "aws:autoscaling:launchconfiguration";
+        const string OPTIONS_NAME_DISABLE_IMDS_V1 = "DisableIMDSv1";
+
         public string Package { get; set; }
 
         public DeployEnvironmentProperties DeployEnvironmentOptions { get; } = new DeployEnvironmentProperties();
@@ -415,7 +419,14 @@ private async Task<string> CreateEnvironment(string application, string environm
                     Value = loadBalancerType
                 });
             }
-
+
+            // For new environments, disable IMDSv1 by default (unless explicitly enabled in additional options).
+            createRequest.OptionSettings.Add(new ConfigurationOptionSetting()
+            {
+                Namespace = OPTIONS_NAMESPACE_DISABLE_IMDS_V1,
+                OptionName = OPTIONS_NAME_DISABLE_IMDS_V1,
+                Value = "true"
+            });
 
             AddAdditionalOptions(createRequest.OptionSettings, true, isWindowsEnvironment);
 
@@ -447,11 +458,41 @@ private void AddAdditionalOptions(IList<ConfigurationOptionSetting> settings, bo
                         throw new ToolsException("Additional option \"" + kvp.Key + "=" + kvp.Value + "\" in incorrect format. Format should be <option-namespace>,<option-name>=<option-value>.", ToolsException.CommonErrorCode.DefaultsParseFail);
                     }
 
-                    settings.Add(new ConfigurationOptionSetting
+                    // Handle case where already included settings are overridden by similar setting in additional options.
+                    var existingSetting = settings.FirstOrDefault(s => s.Namespace == tokens[0] && s.OptionName == tokens[1]);
+
+                    if (existingSetting != null)
+                    {
+                        existingSetting.Value = kvp.Value;
+                    }
+                    else
+                    {
+                        settings.Add(new ConfigurationOptionSetting
+                        {
+                            Namespace = tokens[0],
+                            OptionName = tokens[1],
+                            Value = kvp.Value
+                        });
+                    }
+                }
+            }
+
+            var disableIMDSv1 = this.GetBoolValueOrDefault(this.DeployEnvironmentOptions.DisableIMDSv1, EBDefinedCommandOptions.ARGUMENT_DISABLE_IMDS_V1, false);
+            if (disableIMDSv1.HasValue)
+            {
+                var existingSetting = settings.FirstOrDefault(s => s.Namespace == OPTIONS_NAMESPACE_DISABLE_IMDS_V1 && s.OptionName == OPTIONS_NAME_DISABLE_IMDS_V1);
+
+                if (existingSetting != null)
+                {
+                    existingSetting.Value = disableIMDSv1.Value.ToString(CultureInfo.InvariantCulture).ToLowerInvariant();
+                }
+                else
+                {
+                    settings.Add(new ConfigurationOptionSetting()
                     {
-                        Namespace = tokens[0],
-                        OptionName = tokens[1],
-                        Value = kvp.Value
+                        Namespace = OPTIONS_NAMESPACE_DISABLE_IMDS_V1,
+                        OptionName = OPTIONS_NAME_DISABLE_IMDS_V1,
+                        Value = disableIMDSv1.Value.ToString(CultureInfo.InvariantCulture).ToLowerInvariant()
                     });
                 }
             }

diff --git a/src/Amazon.ElasticBeanstalk.Tools/EBDefinedCommandOptions.cs b/src/Amazon.ElasticBeanstalk.Tools/EBDefinedCommandOptions.cs
@@ -205,5 +205,14 @@ public class EBDefinedCommandOptions
                 ValueType = CommandOption.CommandOptionValueType.IntValue,
                 Description = $"The application port that will be redirect to port 80. The default is port {EBConstants.DEFAULT_APPLICATION_PORT}."
             };
+
+        public static readonly CommandOption ARGUMENT_DISABLE_IMDS_V1 =
+            new CommandOption
+            {
+                Name = "Disable IMDSv1",
+                Switch = "--disable-imds-v1",
+                ValueType = CommandOption.CommandOptionValueType.BoolValue,
+                Description = "If set to true then the IMDSv1 will be disabled on EC2 instances running the application."
+            };
     }
 }